Voracle Attacks: What they are and how to prevent them

Everything you need to know about Voracle attacks and how to prevent them.

A security vulnerability in VPNs has been recently discovered. This simple attack makes it possible for hackers to piece together a VPN’s encrypted HTTP data.

Tech security researcher Ahamed Nafeez presented this new attack during the latest Black Hat and DEF CON security conferences. Needless to say, this news got the attention of VPN providers and users alike.

What is a Voracle attack?

Strictly speaking, a Voracle attack isn’t really a new attack but the result of mixing older cryptographic attacks together: BREACH (2013), CRIME (2012), and TIME (2013).

These attacks showed that by adding known bits of data to HTTP data before it was compressed and encrypted allowed researchers to recover TLS-encrypted data — and thus the encrypted key for that secure communication session.

Nafeez found that their theoretical points were still valid when it came to certain VPN traffic: HTTP data that was compressed prior to encryption by the VPN.

This is because although these older attacks were fixed and resulted in updates on how encrypted HTTPS data was handled, these updates didn’t fix the OpenVPN protocol (which still used TLS) nor did they solve how compression acted upon encrypted HTTP traffic as opposed to encrypted HTTPs traffic.

How Voracle attacks work

Simply put: a Voracle attack is a Compression Oracle attack on a VPN.

It all starts with the OpenVPN protocol. This protocol’s default setting is to compress all data before encrypting it with TLS (Transport Layer Security). It’s a well-known fact that most compression algorithms reduce the size of data packets by removing duplicate pieces of data.

Hackers exploit this fact that by continually adding small but variable bits of similarly-sized known data (plain text) to larger quantities of secret data. They then watch for changes in the size of the resulting encrypted packages and compare it to brute-forced potential values. This process eventually lets them obtain the session cookie or session data.

Initiating a Voracle attack is no easy task because it requires the presence of very specific variables.

For starters, the attacker needs to be on the same network as the target. The target also has to be using an HTTP connection and not HTTPS. The target’s browser should also be vulnerable to Voracle — that’s any browser except Google Chrome. The attacker will then need to lure the target to an HTTP website that the attacker controls (which is how the attacker adds variable bits of data to the encrypted stream of data between the target’s browser and VPN service); and lastly, the target has to be using OpenVPN with compression engaged.

Once all these variables align, an attacker can then take over the target’s account for the rest of the VPN session until it’s closed by the attacker or the VPN service. During this takeover period, the attacker can permanently capture a VPN account by changing the user password — although this depends on the level of account security established by the VPN service.

How can Voracle attacks be prevented?

Since Voracle attacks need very specific variables before an attack can be initiated, users can take these simple steps to keep safe from these attacks.

Change your VPN protocol from OpenVPN

It should be noted that Nazeef informed the OpenVPN Project of this vulnerability. The people behind the project decided to add an explicit warning in its documentation regarding the dangers of using pre-encryption documentation. But, that’s all.

They didn’t change OpenVPN’s default setting of compressing data before encryption as part of the VPN tunnel — which comes with benefits to performance.

That said:

You can simply switch your VPN’s protocol from OpenVPN if your VPN provider allows this option.

Stay away from HTTP websites

This one is a no-brainer.

HTTPS traffic sent through a VPN service is immune to Voracle. Since Voracle attacks don’t work on already encrypted data before it’s compressed, you only need to stay away from HTTP websites.

Use Google Chrome/Chromium

If your VPN provider doesn’t let you change in between protocols, you can still be safe from Voracle attacks if you use Google Chrome/Chromium.

Voracle attacks don’t work on Chrom/Chromium-based browsers. This is because these browsers split HTTP requests into header and body and not as one big data packet.

Look for a VPN that has fixed this vulnerability

If you’re looking to use a VPN or are already doubting your current VPN provider, you should switch to a VPN that has fixed its vulnerability to Voracle attacks.

As of the time of writing this post, I found three VPN providers that fixed this vulnerability: